Introduction

During the course of NHS Borders OHS activities we will collect, store and process personal information about prospective, current and former staff of organisations to whom we provide services. For the purposes of this privacy notice, 'staff' includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience.

We recognise the need to treat staff personal data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This privacy notice provides a summary of how we will ensure that we do that, by describing:

  • The categories of personal data we may handle
  • The purpose(s) for which it is being processed, and
  • The person(s) it may be shared with.

This notice also explains what rights you have to control how we use your information. Please read it carefully to understand what we do.

What laws are relevant to the handling of personal information?

The law determines how organisations can use personal information. The key legislation governing the use of information is listed below:

  • General Data Protection Regulation 2016
  • The Data Protection Act 2018
  • The Human Rights Act 1998
  • Freedom of Information (Scotland) Act 2002
  • Computer Misuse Act 1998
  • Regulation of Investigatory Powers Act 2000
  • Access to Health Records Act 1990, and
  • Access to Medical Reports Act 1988

In relation to the use of your personal data, however, the law is primarily set out in the Data Protection Act 2018 and the General Data Protection Regulation 2016 (GDPR). For the purposes of the data protection legislation, NHS Borders is the 'Data Controller' (the holder, user and processor) of staff information.

What types of personal information do we handle?

Personal information

In order to carry our activities and obligations as an OHS provider we handle data in relation to:

  • name, home address, telephone, personal email address, date of birth, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee's interaction with us.
  • National insurance number.
  • Absence information, e.g. annual leave, sickness absence, maternity leave, paternity leave.
  • Occupational health clearance information.
  • Occupational health records.
  • Qualification and training information.

Special category information

  • Information about race, ethnic origin, religious or philosophical beliefs and health.

When you are no longer our employee, we may continue to share your information as described in this notice, as long as this is fair and lawful.

What is the purpose of processing data?

Your personal data is collected by NHS Borders OHS for the purposes of employee health, safety and well-being. It will be captured and stored on an electronic system and will be used and shared by occupational health professionals in NHS Borders OHS, as appropriate, with human resources (HR) professionals in organisations where you are working in any capacity or where you have been offered employment.

We use information about you in order to:

  • Evaluate health in relation to employment
  • Manage health aspects of your employment, including but not limited to, absence monitoring, development and training, and other general occupational health and HR administrative processes
  • Maintain sickness records, and occupational health records
  • Maintain emergency contact details, which involves us holding information on those nominated by you
  • Comply with applicable laws e.g. health and safety

Our legal basis for using your personal data is "Public Task" – it is necessary in order for us to deliver our responsibilities as an NHS organisation

Our legal basis for using your special category personal data is "Purposes of Occupational medicine and for the assessment of the working capacity of the employee."

Sharing your information

There are a number of reasons why we share information. This can be due to:

  • Our obligations to comply with current legislation, and
  • Our duty to comply with any Court Order which may be imposed.

If the legal bases stated in section 4 above do not apply we will seek your consent to share your information but need to highlight to you that we may require to share information without your consent in some circumstances  e.g. health and safety issues, prevention and detection of crime.

Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a "need to know,” or where you have consented to the disclosure of your personal data to such persons.

In order to comply with our obligations as an OHS we will need to share your information as follows:

Reasons why we share your personal information

Who we share your information with (the list below is not exhaustive)

For the purposes outlined above

Human resources, occupational health and line managers

Professional registration purposes

Regulatory bodies such as the General Medical Council, Nursing and Midwifery Council

Training

Your employer  and regulatory bodies e.g. the Health and Safety Executive

Background on sharing and our responsibilities

Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of your health at work. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by law or regulatory requirements to do so.

It should be noted that the first of the principles of the GDPR 2016 says that personal data shall be processed fairly, lawfully and in a transparent manner.  In practice, this means that NHS Borders OHS must:

  • Have legitimate grounds for collecting and using personal data
  • Not use the data in ways that have unjustified adverse effects on the individuals concerned
  • Be transparent about how it intends to use the data – and give individuals appropriate privacy notices when collecting their personal data
  • Handle people’s personal data only in ways they would reasonably expect
  • Make sure it does not do anything unlawful with the data

Information about the rights of individuals under the GDPR can be found online at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Security of your Information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

NHS Border's OHS staff have a legal and contractual duty to keep personal health information secure, and confidential. The following security measures are in place to protect personal information:

  • All staff undertake mandatory training in Data Protection and IT Security
  • Compliance with NHS Scotland Information Security Policy
  • Organisational policy and procedures on the safe handling of personal information
  • Access controls and audits of electronic systems

Information provided in confidence will only be used for the purposes advised or as otherwise allowed for in the Data Protection legislation.

Retaining information

We only keep your information for 6 years post employment, or 40 years if health surveillance health records. To fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting or other reporting requirements or obligations. NHS Borders OHS complies with the Scottish Government Records Management: NHS Code of Practice (Scotland) 2012 which sets out the minimum retention timescales http://www.gov.scot/Publications/2012/01/10143104/7.

We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you.

How can you get access to your personal data?

The GDPR gives you the right to access the information which NHS Borders OHS holds about you, subject to any exemptions. When making a request you will need to provide:

  • Adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal data located
  • An indication of what information you are requesting to enable us to locate this in an efficient manner.

You should make you request direct to NHS Borders OHS (see How to contact us below).

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 1 month of receipt unless there is a reason for delay that is justifiable under the GDPR. In this case we will notify you of the delay within one month and advise when we will provide you with the requested information.

What if the data you hold about me is incorrect?

It is important that the information which we hold about you is up to date. If your personal details change or if they are currently inaccurate then it is important that you let us know by contacting us. In some circumstances, we may not agree with your request to change your personal information and will instead add an alternative text to the record in question.

Complaints about how we process your personal information

In the first instance, you should contact the Head of Work & Wellbeing (see How to contact us below).

Information about the rights of individuals under the Data Protection Act can be found online at:

 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO).  Details about this are on their website at www.ico.org.uk.

Data Protection Notification

NHS Borders is a ‘data controller’ under the Data Protection legislation. We have notified the Information Commissioner that we process personal data.  

The details are publicly available from the:-

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

www.ico.gov.uk

How to contact us

Please contact us if you have any questions about our privacy notice or information we hold about you:

Head of Work & Wellbeing
NHS Borders
Newstead
Melrose
TD6 9DA

Tel: 01896 825982

E-mail: ohsadmin@borders.scot.nhs.uk